A while back, I had reconfigured my oVirt engine to auth based on my Samba AD server, and everything was working perfectly fine. oVirt version 4.3.10.4-1. Today, I tried to login with my account into engine and I see: server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(sun.security.validator.ValidatorException: No trusted certificate found), ldapSDKVersion=4.0.7, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58 I recently added a secondary domain controller with Samba, and I realize now that there is an error.  Since I didn't pre-initialize samba with a TLS certificate, it generated a new CA, and certificate and key for the second server.  Since I'm not using the same CA as the first server, ovirt engine (which only has the CA of the first server) won't be able to talk to the second server... no problem.... I will fix that eventually. However, when I re-ran "ovirt-engine-extension-aaa-ldap-setup", and followed the exact steps I did before, ovirt is connecting to the first server, failing with the above error, then connecting to the second server, and the same error.  The CA hasn't changed for the first server, nor has the certificate/key.  I verified that the CA certificate that I am giving ovirt is matching with the exact CA certificate of the first server. How can I debug further? Jason.